Data Protection reform has been a consistent theme of government policy over the past couple of years. The previous government had two attempts at reforming the law relating to data protection in the form of the Data Protection and Digital Information Bill and then the (cleverly titled) Data Protection and Digital Information (No 2) Bill. The first attempt was abandoned, and the second attempt did not make it through parliament before the general election held earlier this year. The new government is now having its own attempt having introduced into the House of Lords the Data (Use and Access) Bill on 23 October 2024.

For those who were familiar with the proposals in the bills introduced by the previous government, there is a lot in the Data (Use and Access) Bill that is familiar; however, the government is not going ahead with some of the proposals from the previous government and has introduced some of its own proposals for good measure.

Abolition of the Information Commissioner

Potentially the biggest reform within the bill (and one which has carried over from the previous government’s bills) is to replace the Information Commissioner with a body corporate to be known as the Information Commission. Currently, everything in relation to data protection (and everything else that the ICO does) rests in the hands of one person: the Information Commissioner (currently John Edwards).

The model of a single office holder as the regulator has persisted since the introduction of the Data Protection Registrar in the Data Protection Act 1984. Over the years the Data Protection Registrar has evolved into the Information Commissioner as data protection regulation has evolved and the role gained new responsibilities in other areas (such as freedom of information). The previous government considered, and the present government would seem to agree, that the model was no longer appropriate for a regulator of the size of the Information Commissioner’s Office and with the range of functions that the Commissioner has.

Some of the more controversial elements of the previous government’s proposal for the establishment of a new body have not been carried over by the present government. In particular, the proposal to require the regulator to follow a statement of strategic priorities prepared by the Secretary of State has not been carried forward. This was an element of previous proposals that caused concern about the regulator’s independence from the government. However, the Secretary of State will still be responsible for appointing non-executive members of the commission (who, in turn, will be responsible for appointing the executive members of the commission). The Chair of the Commission will be appointed by The King on the recommendation of the Secretary of State. Given the role of the Secretary of State in the appointment of members of the commission, some concerns may remain about the independence of the new commission from the government. The Scottish Information Commissioner, for example, is appointed by The King after nomination by the Scottish Parliament and that method of appointment has been suggested by some in the past as a method of appointment for the UK Information Commissioner (without any success). There may be, as this bill navigates its parliamentary journey, suggestions that that there ought to be more involvement by parliament in the appointment process for members of the new commission.

Legitimate Interests

The proposal to create a list of “recognised legitimate interests” is being carried over into the current government’s bill; however, the list of “recognised legitimate interests’ is not identical to the list in the previous government’s proposals. In particular “democratic engagement” does not feature, as it would have done under the previous government’s proposals. The list of recognised legitimate interests will be subject to amendment by regulations made by the Secretary of State.

Rights of data subjects

The bill contains some minor changes to the rights of data subjects. It will codify the principle that data controllers have an obligation to carry out reasonable and proportionate searches for personal data in response to subject access requests. This implied obligation currently flows from a decision of the Court of Appeal in England and Wales in respect of cases under the (now repealed) Data Protection Act 1998. Decisions of the Court of Appeal are not binding on Scottish courts, even in relation to UK-wide legislation (and there are examples in other fields of the Scottish courts disagreeing with the English and Welsh courts in relation to UK-wide legislation resulting in the Supreme Court having to step in and sort it out), and so placing it on a statutory footing will provide certainty for controllers and data subjects elsewhere in the UK.

Another change of note is a new right of complaint to the controller by the data subject. Currently there is nothing to stop data subjects making a complaint to a controller about a response that they receive to, for example, a subject access request, but there is no legal obligation on the controller to deal with the complaint. Under the proposals in the Data (Use and Access) Bill, controllers would be required to deal with such complaints. This right is in addition to the right to complain to the Information Commissioner and the right to raise court proceedings seeking a compliance order; however, the Bill does not propose making a complaint to the controller a pre-requisite to doing either of those things.

The time for dealing with, for example a subject access request, will explicitly be stopped where further information is required by the controller. Current ICO guidance is that the days between requesting clarification and that clarification being provided do not count towards the time for responding to the request, but it is now proposed to make this the law.

Financial Penalties

The maximum penalty that the Information Commissioner can impose for contraventions of the Privacy and Electronic Communications (EC Directive) Regulations 2003 will be aligned with the maximum financial penalties under the UK GDPR (increasing it from £500,000 to the greater of £17,500,000 or 4% of global turnover). This is not a new proposal, having been carried over from the previous government’s proposals.

International Transfers

The bill will amend chapter 5 of the UK GDPR, which covers transfers of personal data to other countries and to international organisations. The Secretary of State will still be able to make adequacy decisions by way of regulations; however, a new Article 45A will be inserted into the UK GDPR which will provide that the Secretary of State may only make such regulations where they consider that “the data protection test” is met in relation to the transfers covered by the regulations. The test will be met where the protection provided in relation to the processing of personal data “is not materially lower than the standard of protection provided for data subjects” by the UK GDPR and Parts 2, 5, 6 and 7 of the Data Protection Act 2018. This will likely give the government much more flexibility when it comes to making adequacy regulations.

Interview Notices

The proposal to confer a power on the Information Commissioner to compel a person to attend an interview (including where the Commissioner suspects that a criminal offence has been committed) has been carried over into the Data (Use and Access) Bill. It is a power that is unlikely to be used often but adds to the tools available to the Commissioner should his office face any difficulties during investigations.

Significant proposals that are absent from the Data (Use and Access) Bill

The above proposals are just some of those contained within the Data (Use and Access) Bill; however, there are some significant proposals from the previous government that have not been carried over. These include:

• Replacing the Data Protection Impact Assessment with an ‘Assessment of high-risk processing’,
• Limiting the requirement to maintain a Record of Processing Activity to only high-risk processing; and
• The replacement of data protection officers with “senior responsible individuals”.

There is much more to this bill, both in terms of data protection reform and other data use and access matters, and it will now continue its passage through Parliament (its second reading in the House of Lords is on 19 November 2024). It is, of course, probable that there will be amendments to the bill during its passage; however, given that many of the significant proposals have already been the subject of substantial parliamentary consideration, it may well be that there are no significant amendments to it. We are at the early stages of a parliament in which the government has a sizeable majority, so it can be expected that this Bill will complete its parliamentary journey and become law (in whatever final form it takes).

Disclaimer: This article is for information purposes only and nothing in it should be taken as constituting legal advice.